You are here

You are here

Why you need to rethink app sec in the age of BYOD, IoT

Craig Hinkley CEO, WhiteHat Security

Despite the fact that vulnerabilities still exist in applications, there are few similarities between application security today and 20 years ago. Nearly every facet of applications has evolved in the past two decades, including how they are connected to networks, how and when they are used, and what type of data they contain and transport.

As bring your own device (BYOD) and mobility become the new norm, employees want on-demand access to data and information and will often compromise security in favor of efficiency while piling on the need to protect applications that are used when on the go. Throw in today’s constantly changing threat landscape, where hacktivists, organized crime groups, nation-states, and terrorists pose real threats, and it’s evident that traditional software development processes are not doing enough to secure applications.

App sec in the hot seat

While vulnerable apps cause big headaches for infosec professionals, the emerging Internet of Things (IoT) universe promises to further complicate application security strategies. (Gartner says connected things in use worldwide will reach 20.8 billion by 2020.) As members of the security community, we view this connectivity as an equation for an expanded attack landscape where more applications equal the potential for more vulnerabilities. Any vulnerable connected app—whether it’s in a refrigerator, copy machine, or point-of-sale card reader—can serve as a new entry point for an attacker into the organization.

Caught in the middle between repairing insecure applications currently in use and preparing for the coming wave of security concerns, our infosec community must expand the definition of "application security," from a process of identifying and patching vulnerabilities (when the developers get to them) to an all-inclusive defense strategy that solicits involvement from IT, developers, and business leaders alike.

Here are three steps toward developing a modern security program:

1. Evaluate risk

What type of information can hackers access if they find an entry point to your applications? What is most important for your business to safeguard?

2. Understand where you are vulnerable

Vulnerabilities vary across organizations, and even industries, so application security is not a matter of one size fits all. Do most of your applications have vulnerabilities, or is it an issue of a few vulnerabilities in a handful of applications, but high severity? Are there vulnerabilities that extend beyond the app code? A distributed denial-of-service attack that brings down your web app and renders it useless to customers can be just as big a problem as a poorly written app that crashes.

3. Check in with developers and partners

All parties that touch the application development and deployment processes need to be informed of overall goals. Are developers notified of a potential vulnerability in one application so that they don’t make the same mistake in future applications? How are you sharing threat intelligence with your vendors? The focus needs to be on building more secure software, not adding more security software. 

When security is continuous

Upon learning about vulnerabilities in critical applications, there may be a tendency to find a short-term solution, but it’s important to remember that application security is a continuous process. While it seems counterintuitive, the first step toward implementing a comprehensive application defense program is to take a step back and evaluate all the necessary components of an inclusive strategy. This top-down approach both ensures that your organization will consider unique challenges and establishes the foundation for planning next steps.

It’s no longer just about the individual application, so avoid falling into the trap of adding an application security program “just because.” In a change from 20 years ago, infosec professionals, working alongside business leaders, must now account for complex ecosystems when planning application security strategies. This includes all components of an application, the type of information the applications expose (if compromised), the threat landscape, and overall business goals.

This can all be summed up in one main idea: Organizations need to expand their definition of “app sec” to implement an effective program.  

Preston Hogue, director of security marketing at F5 Networks, co-authored this post. 

Keep learning

Read more articles about: SecurityApplication Security